

 .---.        .---.                                                                 .----------.
 |    \      /    |    .-.                                                          |          |
 |  |\ \    / /|  |    | |    .--------.   .-----------.  .---------.  .-------.    |  .-------'
 |  | \ \  / / |  |    `-'    | .------'   `----. .----'  | .-------'  | ,---. |    |  | 
 |  |  \ \/ /  |  |    .-.    | |               | |       | |          | |   | |    |  `----.
 |  |   \__/   |  |    | |    \ \               | |       | `----.     | `---' |    |  ,----'
 |  |          |  |    | |     \ `-----.        | |       | ,----'     |  .---'     |  |
 |  |          |  |    | |      `----. |        | |       | |          | , \        |  |
 |  |          |  |    | |           | |        | |       | |          | |\ \       |  |
 |  |          |  |    | |           | |        | |       | |          | | \ \      |  '-------.
 |  |          |  |    | |    .------' |        | |       | '------.   | |  \ \     |          |
 `--'          `--'    `-'    `--------'        `-'       `--------'   `-'   `-'    `----------'


                                  .----------------------. 
                      .-----------|   Proudly Presents   |-----------.
       .--------------+----------------------------------------------+--------------.
       |                            A cracking tutor for:                           |
       |            MexElite's Crackme V4.0 (231.424 bytes) coded by nIabI          |
       `----------------------------------------------------------------------------'




This Crackme is much harder than V1.0
In this tutor I assume you know the basics of SoftIce. Read my other tuts for a more basic 
description about how to crack. If you are a complete newbie on Softice I recommend reading
SoftIce for beginners (www.fravia.org) or Mammals "Mankind comes into the Ice Age".

CrackMe Rating: medium

Programs I have used:

- SoftIce V3.2
- W32dasm V8.9
- MexElite's Crackme (http://crackme.home.ml.org)


.-----------------------------------------------------------------------------------------------.
`-----------------------------------------------------------------------------------------------'


1st: start SoftIce and place a breakpoint on these APIs:

getwindowtexta     <= 32 bit
getwindowtext      <= 16 bit
getdlgitemtexta    <= 32 bit
getdlgitemtext     <= 16 bit

Fire the Crackme and enter a name (MisterE) and a s/n (123454). When you press the Check button
nothing happens. Wrong breakpoints. So clear them and put a new breakpoint on hmemcpy. When you
press the Check button this time, you get kicked back into Softice.

Press F12 a few times, until you get in protected mode 32bit code (prot32). 
Now do a search on the s/n you entered (123454)

The address 802EE132 contained my s/n. You are likely to find other addresses, just continue 
my tutor using your addresses instead. You can disable the breakpoint on hmemcpy now. When you
continue running the program (ctrl - d) you get kicked back into softice a few times, but 
you won't find anything important there. Like I said, this crackme is harder than V4.0

Hmm, what should we do now? Well, let's try w32dasm to see if we can come up with something.
At w32dasm: open the crackme and go to Refs - string data references. When you look at the 
string you should notice these two:  

"Bad Name Or Serial Number !!!!!"
"Good Serial, Thanks For trying "

Doubleclick on "Good serial, Thanks For trying" and you'll end up here:

:0042DCB2 A360F74200              mov dword ptr [0042F760], eax
:0042DCB7 A158F74200              mov eax, dword ptr [0042F758]
:0042DCBC 3B0560F74200            cmp eax, dword ptr [0042F760]    <= compare s/n 
:0042DCC2 7517                    jne 0042DCDB                     <= bad s/n, go to 42DCDB 
:0042DCC4 6A00                    push 00000000                       good s/n, continue running
:0042DCC6 668B0D1CDD4200          mov cx, word ptr [0042DD1C]
:0042DCCD B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Good Serial, Thanks For trying "
                                        ->"this Crackme bY nIabI !"
                                  |
:0042DCCF B8A0DD4200              mov eax, 0042DDA0
:0042DCD4 E867F1FFFF              call 0042CE40
:0042DCD9 EB15                    jmp 0042DCF0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DCC2(C)
|
:0042DCDB 6A00                    push 00000000
:0042DCDD 668B0D1CDD4200          mov cx, word ptr [0042DD1C]
:0042DCE4 B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Bad Name Or Serial Number !!!!!"
                                  |
:0042DCE6 B8E0DD4200              mov eax, 0042DDE0
:0042DCEB E850F1FFFF              call 0042CE40


Cool, we have found where the Crackme compares our s/n (123454) and the real s/n.
We could patch the Crackme by changing:

:0042DCC2 7517                    jne 0042DCDB                     <= bad s/n? then go to 42DCDB

to

:0042DCC2 7417                    je 0042DCDB                     <= good s/n? then go to 42DCDB

But that isn't nice to nIabi. He wrote a very nice crypting routine for us. So at least we 
should get the real s/n. This is fairly easy to do. At 42DCBC both serials are compared, 
remember this address. 

Now you have to use SoftIce again. Place a breakpoint on hmemcpy, and press the check button.
Press F12 a few times, until you get in protected mode 32bit code (prot32). NOW you place the 
breakpoint on 42DCBC and disable the breakpoint on hmemcpy. You CANNOT place the breakpoint on
42DCBC when you are NOT in prot32, because the breakpoint will end up nowhere (you aren't running
the crackme in prot16). 

Go on running the program. You should get kicked back into Softice. You end up at the compare
function. These two value's are compared (using MisterE as name):

d 42F758 => BC CC 6E F3 07 (the 07 isn't important, we won't use it)
d 42F760 => 3E E2 01

Remember: values get pushed in reverse order, so 3E E2 01 should be 01 E2 3E that is:
123454 decimal, thit is our s/n!!!!!!

BC CC 6E F3 should be F3 6E CC BC, that is 4084124860 decimal. But when you enter this s/n, the 
crackme says it is not a valid integer value. Well, thats because the crackme can't handle values
greater then 2147483647 (2^11 -1 ). A bug? Nope. When you try to type a s/n in the Crackme you'll 
find out that the Crackme accepts 0 to 9 !!AND!! the minus(-)
When you type "? F36ECCBC" in softice, you get the value 4084124860 AND -210842436, I am not sure
what this second value is, I think it is the negative value of F3 6E CC BC
Anyway this is the right serial.

Enter this s/n and YOU HAVE CRACKED THE CRACKME, but there is more........


This is a very nice chance to make a keygenerator. I am having problems with this because I am 
not very well at assembly. Right now I am studying "The Art of Assembly" 

You can get this book at: http://www.qzx.com

It is obvious that the Crackme starts calculating the real s/n somewhere between 0042DBD0 and 
0042DCB7. I have already found where the Crackme calculates the real s/n and I hope to write a 
tut about how to make a keygen for this very soon (when my assembly is better).
So you could try to make a keygen. When you fail (but you won't) you can check my tut later.

Some tips: The crackme uses the second character of your name to calculate the s/n. In my case it
           uses the "i". The Crackme stores this value as 105d or 69h 
           You can find the ASCII codes in the table below.


BTW: If you can write a good, well explained, keygen in assembly or Basic, mail me!!
     With your permission I could include it in the tutorial.

 
.-----------------------------------------------------------------------------------------------.
`-----------------------------------------------------------------------------------------------'


                                 ASCII CODES

Control Characters

     00(00)  NUL   null or time fill        10(16)  DLE   data line escape
     01(01)  SOH   start of heading         11(17)  DC1   device control 1
     02(02)  STX   start of text            12(18)  DC2   device control 2
     03(03)  ETX   end of text              13(19)  DC3   device control 3
     04(04)  EOT   end of transmission      14(20)  DC4   device control 4
     05(05)  ENQ   enquiry                  15(21)  NAK   negative acknowledge
     06(06)  ACK   acknowledge              16(22)  SYN   synchronous idle
     07(07)  BEL   bell                     17(23)  ETB   end of transm blocks
     08(08)  BS    backspace                18(24)  CAN   cancel
     09(09)  HT    horizontal tab           19(25)  EM    end of medium
     0A(10)  LF    line feed                1A(26)  SUB   substitute
     0B(11)  VT    vertical tab             1B(27)  ESC   escape
     0C(12)  FF    form feed                1C(28)  FS    file separator
     0D(13)  CR    carriage return          1D(29)  GS    group selector
     0E(14)  SO    shift out                1E(30)  RS    record separator
     0F(15)  SI    shift in                 1F(31)  US    unit separator
                                        

Graphic Characters

     20(32)        30(48)  0     40(64)  @     50(80)  P     60(96)   ` *   70(112)  p
     21(33)  !     31(49)  1     41(65)  A     51(81)  Q     61(97)   a     71(113)  q
     22(34)  "     32(50)  2     42(66)  B     52(82)  R     62(98)   b     72(114)  r
     23(35)  #     33(51)  3     43(67)  C     53(83)  S     63(99)   c     73(115)  s
     24(36)  $     34(52)  4     44(68)  D     54(84)  T     64(100)  d     74(116)  t
     25(37)  %     35(53)  5     45(69)  E     55(85)  U     65(101)  e     75(117)  u
     26(38)  &     36(54)  6     46(70)  F     56(86)  V     66(102)  f     76(118)  v
     27(39)  '     37(55)  7     47(71)  G     57(87)  W     67(103)  g     77(119)  w
     28(40)  (     38(56)  8     48(72)  H     58(88)  X     68(104)  h     78(120)  x
     29(41)  )     39(57)  9     49(73)  I     59(89)  Y     69(105)  i     79(121)  y
     2A(42)  *     3A(58)  :     4A(74)  J     5A(90)  Z     6A(106)  j     7A(122)  z
     2B(43)  +     3B(59)  ;     4B(75)  K     5B(91)  [     6B(107)  k     7B(123)  { *
     2C(44)  ,     3C(60)  <     4C(76)  L     5C(92)  \ *   6C(108)  l     7C(124)  | *
     2D(45)  -     3D(61)  =     4D(77)  M     5D(93)  ]     6D(109)  m     7D(125)  } *
     2E(46)  .     3E(62)  >     4E(78)  N     5E(94)  ^ *   6E(110)  n     7E(126)  ~ *
     2F(47)  /     3F(63)  ?     4F(79)  O     5F(95)  _     6F(111)  o     7F(127)  DEL   delete




.-----------------------------------------------------------------------------------------------.
`-----------------------------------------------------------------------------------------------'


Well, I hope you learned SOMETHING from this tutor.

If you have any comments, questions, or whatever, mail me at MisterE@freemail.nl

OR

look for me at EFNET => #cracking4newbies or #cracking


.-----------------------------------------------------------------------------------------------.
`-----------------------------------------------------------------------------------------------'